Uplift clippy::invalid_null_ptr_usage lint as invalid_null_arguments
#119220
Conversation
rustbot
added
S-waiting-on-review
|
Some changes occurred in src/tools/clippy cc @rust-lang/clippy |
rustbot
added
the
I-lang-nominated
This comment has been minimized.
This comment has been minimized.
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
2 times, most recently
from
b25c44c to
7308419
Compare
This comment has been minimized.
This comment has been minimized.
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
from
7308419 to
05aabc1
Compare
|
I think @saethlin has also found plenty of code that hits this in the wild, so this seems like a good lint. |
|
You're probably referring to PyO3/pyo3#2687 and servo/font-kit#197 I don't think either of these would be detected by the lint, but I agree that this is a reasonable lint target. |
apiraino
added
S-waiting-on-team
|
I'll flag this as |
|
☔ The latest upstream changes (presumably #120991) made this pull request unmergeable. Please resolve the merge conflicts. |
|
(Just me, with my lang hat on but not talking for the team.) I wish there was an easier way for these to get added without waiting on us. Would you be interested in making a proposal of some sort for making maybe a It'd be great if, rather than lang needing to approve stuff, it'd just be |
|
That feels similar to what flux and verus are doing but at a smaller scale. Unsure about allowing downstream users to access it but it'd be great to make these kinds of checks more prevalent (and not just for null ptr cases) |
|
I do like refinement types. We should discuss this further, I love the idea of rust expanding its sights of correctness to this, rather than a devtool (what flux does atm) |
|
I would if there was an easier way to add those kind of lints. Using the
That would be awesome, I would love if it were this "simple". I can write something akin to an MCP (for t-lang) but I don't have the time for a full RFC :-) |
This comment was marked as outdated.
This comment was marked as outdated.
|
@traviscross It's been more than a year since I nominated this PR for T-lang, I know it's not high priority/high in the list, and I don't mind waiting, but it's becoming annoying to maintain these kind of PR. This one in particular has nearly all modified files in conflict. Is this something T-lang would accept? Is there a way to gather consensus outside of a nomination? If not I rather close this PR than continue to waste my time maintaining this PR. |
rustbot
added
the
I-lang-easy-decision
traviscross
added
T-lang
|
Team member @traviscross has proposed to merge this. The next step is review by the rest of the tagged team members: Concerns:
Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns. |
rfcbot
added
proposed-final-comment-period
|
Anyone have a better suggestion for the lint name than |
This comment has been minimized.
This comment has been minimized.
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
from
b36fb5a to
334634c
Compare
rustbot
added
the
T-compiler
…ywiser
Fix false-positive in `expr_or_init` and in the `invalid_from_utf8` lint
This PR fixes the logic for finding initializer in the `expr_or_init` and `expr_or_init_with_outside_body` functions.
If the binding were to be mutable (`let mut`), the logic wouldn't consider that the initializer expression could have been modified and would return the init expression even-trough multiple subsequent assignments could have been done.
Example:
```rust
let mut a = [99, 108, 130, 105, 112, 112]; // invalid, not UTF-8
loop {
a = *b"clippy"; // valid
break;
}
std::str::from_utf8_mut(&mut a); // currently warns, with this PR it doesn't
```
This PR modifies the logic to excludes mutable let bindings.
Found when using `expr_or_init` in rust-lang#119220.
r? compiler
…ywiser
Fix false-positive in `expr_or_init` and in the `invalid_from_utf8` lint
This PR fixes the logic for finding initializer in the `expr_or_init` and `expr_or_init_with_outside_body` functions.
If the binding were to be mutable (`let mut`), the logic wouldn't consider that the initializer expression could have been modified and would return the init expression even-trough multiple subsequent assignments could have been done.
Example:
```rust
let mut a = [99, 108, 130, 105, 112, 112]; // invalid, not UTF-8
loop {
a = *b"clippy"; // valid
break;
}
std::str::from_utf8_mut(&mut a); // currently warns, with this PR it doesn't
```
This PR modifies the logic to excludes mutable let bindings.
Found when using `expr_or_init` in rust-lang#119220.
r? compiler
…ywiser
Fix false-positive in `expr_or_init` and in the `invalid_from_utf8` lint
This PR fixes the logic for finding initializer in the `expr_or_init` and `expr_or_init_with_outside_body` functions.
If the binding were to be mutable (`let mut`), the logic wouldn't consider that the initializer expression could have been modified and would return the init expression even-trough multiple subsequent assignments could have been done.
Example:
```rust
let mut a = [99, 108, 130, 105, 112, 112]; // invalid, not UTF-8
loop {
a = *b"clippy"; // valid
break;
}
std::str::from_utf8_mut(&mut a); // currently warns, with this PR it doesn't
```
This PR modifies the logic to excludes mutable let bindings.
Found when using `expr_or_init` in rust-lang#119220.
r? compiler
Rollup merge of rust-lang#138360 - Urgau:fix-fp-expr_or_init, r=wesleywiser Fix false-positive in `expr_or_init` and in the `invalid_from_utf8` lint This PR fixes the logic for finding initializer in the `expr_or_init` and `expr_or_init_with_outside_body` functions. If the binding were to be mutable (`let mut`), the logic wouldn't consider that the initializer expression could have been modified and would return the init expression even-trough multiple subsequent assignments could have been done. Example: ```rust let mut a = [99, 108, 130, 105, 112, 112]; // invalid, not UTF-8 loop { a = *b"clippy"; // valid break; } std::str::from_utf8_mut(&mut a); // currently warns, with this PR it doesn't ``` This PR modifies the logic to excludes mutable let bindings. Found when using `expr_or_init` in rust-lang#119220. r? compiler
This comment was marked as resolved.
This comment was marked as resolved.
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
from
334634c to
1ceebfe
Compare
rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
traviscross
changed the title
clippy::invalid_null_ptr_usage lintclippy::invalid_null_arguments lint
traviscross
changed the title
clippy::invalid_null_arguments lintclippy::invalid_null_ptr_usage lint as invalid_null_arguments
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
from
1ceebfe to
7739280
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Urgau
force-pushed
the
uplift-invalid_null_ptr_usage
branch
from
7739280 to
441fb02
Compare
This PR aims at uplifting the
clippy::invalid_null_ptr_usagelint into rustc, this is similar to theclippy::invalid_utf8_in_uncheckeduplift a few months ago, in the sense that those two lints lint on invalid parameter(s), here a null pointer where it is unexpected and UB to pass one.For context: GitHub Search reveals that just for
slice::from_raw_parts{_mut}~20 invalid usages withptr::nulland an additional 4 invalid usages with0 as *const ...-ish casts.invalid_null_arguments(deny-by-default)
The
invalid_null_argumentslint checks for invalid usage of null pointers.Example
Produces:
Explanation
Calling methods whose safety invariants requires non-null pointer with a null pointer is undefined behavior.
The lint use a list of functions to know which functions and arguments to checks, this could be improved in the future with a rustc attribute, or maybe even with a
#[diagnostic]attribute.This PR also includes some small refactoring to avoid some ambiguities in naming, those can be done in another PR is desired.
@rustbot label: +I-lang-nominated
r? compiler